---
title: "Auth & responses"
description: "Authentication, base URL, and response format"
---

Base URL: `https://<your-endpoint>` (see `k7 api-status` / `k7 get-api-endpoint`).

## Authentication

Send your API key via either header:

```http
X-API-Key: <your-key>
# or
Authorization: Bearer <your-key>
```

All endpoints return standard HTTP codes. `401 Unauthorized` if the key is missing/invalid/expired.

## Response envelope

Successful responses:

```json
{ "data": ... }
```

Errors:

```json
{ "error": { "code": "BadRequest", "message": "..." } }
```

Common error codes:

- `BadRequest` (400): Invalid input or missing parameters
- `Unauthorized` (401): Missing or invalid API key
- `NotFound` (404): Resource was not found
- `Conflict` (409): Resource already exists
- `UnprocessableEntity` (422): Validation failed
- `InternalServerError` (500): Unhandled error

## Headers

Required headers for requests with body:

```http
Content-Type: application/json
```

Authentication headers (either):

```http
X-API-Key: <your-key>
# or
Authorization: Bearer <your-key>
```

## Resources

- Sandboxes: create, list, get, delete, delete-all
- Exec: run a command in a sandbox and get stdout/stderr/exit_code
- Metrics: CPU and memory usage per sandbox

<Info>
Health endpoints:

- `GET /` → basic API info
- `GET /health` → health check
</Info>


